In this paper, a new authentication model for M-Commerce is proposed. The protocol has three novel characteristics as opposed to the existing protocols involving trusted third party in M-commerce. Firstly, it is minimal and can reduce the requirement of computational resources for mobile terminals. Secondly, it is manageable. The third party just provides security authentication, credit standing and session key for both the buyer and the seller, whereas it doesn't provide buyer's private payment information such as credit-card / debit-card information. In this way, it can avoid large scale of identity theft effectively. Thirdly, it can meet SSO of buyers. Its correctness is verified by using CSP/FDR. The checking result shows that this new protocol model satisfies the authentication and key distribution properties that it claimed.